CyberWire Daily - Encore: Welcome to New York, it's been waitin' for you. [Research Saturday]
Episode Date: July 6, 2024Joshua Miller from Proofpoint joins Dave to discuss findings on "Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware." In mid May, TA453, also known as Charming Kitten, APT42, Mint ...Sandstorm, and Yellow Garuda, was found sending a benign conversation lure masquerading as a senior fellow with the Royal United Services Institute (RUSI) to the public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs. The research states that "the email solicited feedback on a project called “Iran in the Global Security Context” and requested permission to send a draft for review." Proofpoint shares it's findings and what you can expect from the threat group. The research can be found here: Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
Yeah, so as part of my daily job, I track advanced adversaries that we assess to come from places like Iran or the Middle East.
And we have in place different detections that we use to sort of find these and look in our emails to try to find these.
It's very much with some of these benign conversations.
It's like hunting for a needle in a haystack.
That's Joshua Miller.
He's a senior threat researcher with Proofpoint's threat research team.
The research we're discussing today is titled Welcome to New York, exploring TA TA453's Foray into LNKs and Mac Malware.
And so one of our detection rules that I had written triggered and it came up that it was
TA453. So we investigated it, talked to our customer,
and then went through the whole malware train. Well, let's go through it together here. I mean,
what was the thing that set off the trigger? Yeah. So TA453 is known for pretending to be
individuals who, they spoof well-known scholars in the nuclear space, the security space,
and they sort of engage in these conversations with academics at think tanks, at universities,
public policy experts. And so the English is actually pretty good when you look at these
actual emails that we have, but they're always sort of asking for collaboration or they want to send an article
or a link. And so after you look at these for a while, you sort of understand, hey,
this is what they're doing. They're pretending to be this person and then sending over an offer
for collaboration. It's interesting to me. It strikes me that there's a certain amount of
patience at play here in that the initial contact doesn't include the link, doesn't include the attachment.
They ask for permission to take that next step.
Absolutely. And that's something we find very interesting is that sometimes we'll see them talk to, there's one case where we saw them talk to their target for weeks at a time before sending the actual malicious link or attachment.
And other times, there's some cases where they send it in the initial email. So I think it really just depends
on who the operator is, what the goal is, and also how much work have they put into setting up the
infrastructure or dedicated to the target. Well, let's continue down this path together. So the
target gets this email, what happens next? Yeah, so the target gets the
email. And then after a reply to the actor, they send a malicious link. So the malicious link was
an email with a Google macro. So scripts.google.com allows you to sort of host your own code. And it's
a way that third actors try to evade detection
because it says that, hey, it's going to Google,
which is similar to hosting things like Outlook or Dropbox,
where it sort of evades detection
because you have that known good of Google Cloud.
So after the Google macro, it then redirected to Dropbox.
And at Dropbox, it had a RAR file titled Abraham Accords and MENA, which is Middle East and North Africa. And that RAR file title matched the content of the initial email that we had talked about where they said, hey, can you help me with this project that we're working on. And so the victim gets that, and I suppose at this point, things look legit, but
what exactly is going on here with that RAR file? Yeah, so that's something that we've seen.
This is the first time we've seen TA53, which we also call Charming Kitten. That's another name
that they're known as. And the RAR file, when it opens up, it has an LNK file, which is a window
shortcut file. And that uses some obfuscated PowerShell that reaches out to a cloud provider and downloads more PowerShell.
This time it's Base64 encoded that reaches out to that same cloud provider.
And then that PowerShell calls more that reaches out to a place called Clever Apps,
which is a company that allows you to run JavaScript applications in the cloud.
So again, you're seeing this really complicated attack chain
across different cloud providers, different cloud services.
And part of that is to maintain misattribution.
If they're not using unique malware,
they're using all these different cloud services,
it's harder to identify them and attribute the campaign. So after Clever Apps, it downloads another function, and then it uses pieces of
all of those different things that it's downloaded to start the back door, which we call Gorshal Echo,
which then displays the PDF and does some reconnaissance.
Yeah, you highlight in the research here the degree to which they're bouncing around to all these different cloud providers.
What's the time scale that we're talking about here for these hops from one to another?
I mean, are they going as fast as they can?
Are they deliberately delaying some things?
Is there anything of interest there?
Yeah, that's a great question.
They are, at least for this piece of malware, going almost instantaneously. So it's, hey, we download this and then move on to the next function. There wasn't
any necessary delays or sort of ways to evade detection in that way. I see. Yeah, so we get
this PDF file. Where do we go from there? Yeah, so to the end user, it looks like, hey, I downloaded
a RAR file from Dropbox or just downloaded a file from Dropbox and it's PDF displayed.
So they don't see anything unusual.
But in the background, it's downloading and executing what we call modular backdoor or
goldracko.
So basically what that means is once the persistence and the backdoor is installed on the computer,
the actor can choose which of the modules that they have, which are PowerShell scripts,
get downloaded to the user's computer.
So there's ones for things like taking screenshots, exfiltrating information, getting system information,
and then also Vilexi, another security vendor, found some for removing, so almost cleaning
up the intrusion as well.
So it's sort of a full-featured backdoor with different modules that they can deploy.
now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com
slash cyber for $1,000 off. One of the things you highlight in the research is that evidently they discovered that one of their targets was running a Mac OS system, which required a little bit of extra effort on their part.
Yeah, and so like I mentioned before, the LNK file that's in the RAR is a Windows short print file.
So obviously that's not going to run on a Mac computer.
So obviously that's not going to run on a Mac computer.
So about a week later, we saw them send another infection chain, this time designed for Macs.
What I think is interesting here is not only do they send the attachment, which was masquerading as a VPN application,
but they also set up a decoy website for an FTP server saying, hey, all the projects are on this server, but in order to connect to the server and work with our researchers,
you have to run the VPN.
So if you go to that decoy website, no matter what password you use,
whether it's the one they provide or whether you try to put your own in,
it doesn't work.
And the idea would be is that they're trying to social engineer the target
into making sure that they actually do run the malware
that they sent,
not just try to log into the shared drive.
Well, let's continue down the path here.
I mean, what ultimately is the end game?
Yeah, so what we saw is they got the email,
they sent out the VPN application,
which was like we talked about,
a mock O binary,
and that Mac malware reached out
to a dynamic DNS commanding control that downloaded
a second stage, which we call Knock Knock. That Knock Knock, similar to what we've talked about
before, that modular backdoor for Windows, that's the same function that Knock Knock poses. And so
Knock Knock can do two things. And it can either retrieve commands and then kill itself and it's
done running, or it can download more modules.
So during our analysis, we found four modules.
We saw one for downloading processes, information, applications, and then persistence.
And so all of these modules are pretty interesting.
They're similar and correspond to a lot of the modules that we've seen on the Windows side,
but obviously they're meant for Mac.
And they all have very similar functionality as far as encryption and encoding for exfiltration
back to that dynamic DNS website, which again, another cloud provider that TA453 uses.
And then the persistent mechanism basically establishes a copy of the previous kill chain
in a location that will run again
should the software timeout.
So that's sort of what we saw.
Our assessment, and we didn't get a chance to see this, but our assessment is that the
malware would...
So we saw four modules on the Mac side, and Phylexia talked about seeing nine modules on the Windows side.
Our assessment is that once those four modules are reporting back constantly to Charm and Kitten,
that's when we'll start seeing hands-on keyboard,
and we'll start seeing some of those more modules meant for exfiltrating screenshots,
maybe grabbing files, those sort of things.
We didn't see those yet in our research, but that's sort of our assessment of, hey, where would this go?
Well, they're going to start trying to get files,
not just conduct reconnaissance.
So it sounds like you're pretty confident in the attribution here for TA453.
What do we need to know about them?
So TA453 is probably one of the most persistent groups that we see.
They consistently target the same organizations and individuals over and over.
So they target everything from nonprofit organizations, government officials, sometimes travel agencies.
And we attribute that they are aligned with Iran and specifically the IRGCIO.
So what that means is that they are, everything that they do, all the phishing emails they send, the malware that they deploy, operates in support of Iran and Iran's interest
and to gain intelligence for Iran. What we don't know is whether or not they are
uniformed military officers, whether they're just contractors. Iran does a little bit of both. They
also have people who do compulsory military service. We at Proofpoint don't have visibility into the actual, hey, this is the person behind the computer.
But what we see is that this group, which we cluster together, is pretty persistent.
They also, we believe, respond to different priorities from the Iranian regime.
So when COVID came out, we saw them starting to target pharma companies and medical research.
We've also seen them target with the recent protests and unrest in Iran.
We've seen them target human rights scholars, women scholars, those sort of individuals
to sort of understand the who behind the action.
And what we see is they typically will try to gather credentials from
people and use those credentials to then exfiltrate the email to then obviously gain
the intelligence from that email. There was also the US government indicted some members of Charmin
Kitten or TF453 for conducting ransomware. So just like a lot of groups, there's different teams of
TF453 and one of them was using different exploits,
pretty much all the exploits of the last couple of years that were opportunistic,
sort of that wide internet scanning that then leading to compromise.
So the U.S. government indicted a couple of front companies for that activity.
So what are your recommendations then?
Based on the information you all have
gathered here, how should folks go about best protecting themselves?
Yeah. So a big thing is just verifying who is sending you that link or that attachment.
If it's not coming from their organizational account, meaning their.edu, their.org,
the official domain, if it's coming from a Gmail, Yahoo, Outlook, verify with them in some other way
before opening it. That's the biggest thing we can do. If it's a journalist that you think is
reaching out to you, reach out to them via their newsroom to understand, hey, is this a legit email
or is this someone pretending to be that journalist? The other thing to do is making sure that you
use strong passwords. It's always a good one. But also, if your account ever does get compromised,
something to look at.
A lot of personal email accounts
have something called application-specific passwords.
And that's where you are allowing different applications
to access your email for whatever purpose.
We've seen Charm and Kitten use that
as a way to maintain persistence to email accounts.
So it's great to change your password
after you've been compromised.
You also want to make sure
there's not any application-specific passwords hanging out
because even if you change your password,
those don't change.
So that's really the biggest thing
is just verify who's sending you this information
and just being aware that this threat's out there.
We see it from Iran targeting experts.
We see it from North Korea as well as China.
And Russia too, honestly.
So it's just good to be aware of who's sending you email.
Our thanks to Joshua Miller from Proofpoint for joining us. The research is titled Welcome to New York,
Exploring TA-453's Foray into LNKs and Mac Malware.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
Thank you. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman.
Our executive editor is Peter Kilpie.
And I'm Dave Bittner.
Thanks for listening.
Your business needs AI solutions that are not only ambitious, Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.